HOMOMORPHIC ENCRYPTIONAND
LATTICE BASED CRYPTOGRAPHY
Abderrahmane Nitaj
Laboratoire de Mathematiques Nicolas Oresme
Universite de Caen Normandie, France
Nouakchott, February 15-26, 2016
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
Contents
1 Introduction
2 Homomorphic encryption
3 LWE
4 NTRU
5 Lattices
6 Bibliography
7 Conclusion
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 2 / 51
Introduction
Contents
1 Introduction
2 Homomorphic encryption
3 LWE
4 NTRU
5 Lattices
6 Bibliography
7 Conclusion
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 3 / 51
Introduction
Cryptography in daily life
1 Cell phone conversations
2 Emails
3 Shopping online
4 Online banking
5 Aircraft Communications
6 Satellite communications
7 Government communications
8 Medical records
9 Cloud storage (Dropbox, Microsoft OneDrive, Google Drive,...)
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 4 / 51
Introduction
RSA
RSA
Invented in 1978 by Rivest, Shamir and Adleman.
Hard Problem : IFP
Integer Factorization Problem:
Let N = pq be the product of two large prime numbers pand q. The integer factorization problem is to find p andq.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 5 / 51
Introduction
RSA
RSA
Invented in 1978 by Rivest, Shamir and Adleman.
Hard Problem : IFP
Integer Factorization Problem:
Let N = pq be the product of two large prime numbers pand q. The integer factorization problem is to find p andq.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 5 / 51
Introduction
RSA
RSA
Invented in 1978 by Rivest, Shamir and Adleman.
Hard Problem : IFP
Integer Factorization Problem:
Let N = pq be the product of two large prime numbers pand q. The integer factorization problem is to find p andq.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 5 / 51
Introduction
Diffie-Hellman and El Gamal
Diffie-Hellman: invented in 1976 by W. Diffie and M. Hellman.
El Gamal: invented in 1985 by T. El Gamal.
Hard Problem: DLP
Discrete Logarithm Problem:
Let g and b be two positive integers and p be primenumber. Find x such that gx ≡ b (mod p).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 6 / 51
Introduction
Diffie-Hellman and El Gamal
Diffie-Hellman: invented in 1976 by W. Diffie and M. Hellman.
El Gamal: invented in 1985 by T. El Gamal.
Hard Problem: DLP
Discrete Logarithm Problem:
Let g and b be two positive integers and p be primenumber. Find x such that gx ≡ b (mod p).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 6 / 51
Introduction
ECC
ECC
ECC (Elliptic Curve Cryptography), invented in 1985 (independently)by Koblitz and Miller.
Hard Problem: ECLDPElliptic Curve Discrete Logarithm Problem :
Let P and Q be tow points on an elliptic curve E. Findn such that nP = Q.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 7 / 51
Introduction
ECC
ECC
ECC (Elliptic Curve Cryptography), invented in 1985 (independently)by Koblitz and Miller.
Hard Problem: ECLDPElliptic Curve Discrete Logarithm Problem :
Let P and Q be tow points on an elliptic curve E. Findn such that nP = Q.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 7 / 51
Homomorphic encryption
Contents
1 Introduction
2 Homomorphic encryption
3 LWE
4 NTRU
5 Lattices
6 Bibliography
7 Conclusion
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 8 / 51
Homomorphic encryption
Desirable cryptographic propertiesFor the cloud
Store encrypted data on the cloud.
Allow the cloud to process on the encrypted data
Perform computations or search on data without decrypting it.
Decrypt the result to get the same answer as performing an analogousoperation on the original data.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 9 / 51
Homomorphic encryption
Desirable cryptographic properties
Example
Store the emails on the cloud.
Encrypt an inquiry and perform it on the cloud without decrypting it.
Decrypt the result to get the same answer as performing an analogousoperation on the original data.
The simplified scheme
Encrypt a data x as Enc(x) and store it on the cloud.
Encrypt a function f as Enc(f) and send it to the cloud.
Ask the cloud to perform Enc(f)[Enc(x)]=Enc(f(x)).
Download Enc(f(x)) and decrypt it to get f(x).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY10 / 51
Homomorphic encryption
Desirable cryptographic properties
Example
Store the emails on the cloud.
Encrypt an inquiry and perform it on the cloud without decrypting it.
Decrypt the result to get the same answer as performing an analogousoperation on the original data.
The simplified scheme
Encrypt a data x as Enc(x) and store it on the cloud.
Encrypt a function f as Enc(f) and send it to the cloud.
Ask the cloud to perform Enc(f)[Enc(x)]=Enc(f(x)).
Download Enc(f(x)) and decrypt it to get f(x).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY10 / 51
Homomorphic encryption
Homomorphic systems
The concept of homomorphic encryption
It allows certain types of operations to be carried out on theencrypted data without the need to decrypt them.
Proposed by Rivest, Adleman, and Dertouzos in 1978.
Many schemes are partially homomorphic.
In 2009, Gentry presented the first fully homomorphic encryptionscheme: totally impracticable.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY11 / 51
Homomorphic encryption
Homomorphic systems
Homomorphism
If (G1, ∗) and (G2,⊗) are two groups, then a function f : G1 −→ G2 is agroup homomorphism if
f(x ∗ y) = f(x)⊗ f(y)
for all x, y ∈ G1
Examples: f(x) = ex, f(x) = log(x),....
Partially homomorphic encryption
Additively homomorphic: Enc(x)+Enc(y)= Enc(x+ y).
Multiplicatively: Enc(x)× Enc(y)= Enc(x× y).
Fully homomorphic encryption (FHE)
Fully homomorphic encryption allows to do arbitrary computations onencrypted data without decrypting it.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY12 / 51
Homomorphic encryption
The RSA example
RSA addition: not homomorphic
Private The cloud
m1RSA(N,e)−−−−−−→ c1 ≡ me
1 (mod N)
m2RSA(N,e)−−−−−−→ c2 ≡ me
2 (mod N)↓ ⊕
(me1 +me
2)d 6≡ m1 +m2
RSA(N,d)←−−−−−− c1 + c2 ≡ me1 +me
2 (mod N)
RSA multiplication: homomorphic
Private The cloud
m1RSA(N,e)−−−−−−→ c1 ≡ me
1 (mod N)
m2RSA(N,e)−−−−−−→ c2 ≡ me
2 (mod N)↓ ⊗
((m1m2)e)d ≡ m1m2
RSA(N,d)←−−−−−− c1c2 ≡ (m1m2)e (mod N)
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY13 / 51
Homomorphic encryption
The RSA example
RSA addition: not homomorphic
Private The cloud
m1RSA(N,e)−−−−−−→ c1 ≡ me
1 (mod N)
m2RSA(N,e)−−−−−−→ c2 ≡ me
2 (mod N)↓ ⊕
(me1 +me
2)d 6≡ m1 +m2
RSA(N,d)←−−−−−− c1 + c2 ≡ me1 +me
2 (mod N)
RSA multiplication: homomorphic
Private The cloud
m1RSA(N,e)−−−−−−→ c1 ≡ me
1 (mod N)
m2RSA(N,e)−−−−−−→ c2 ≡ me
2 (mod N)↓ ⊗
((m1m2)e)d ≡ m1m2
RSA(N,d)←−−−−−− c1c2 ≡ (m1m2)e (mod N)
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY13 / 51
Homomorphic encryption
Partial homomorphic systems
RSA: multiplicatively homomorphic
Given c1 ≡ me1 (mod N), c2 ≡ me
2 (mod N). Then
c1 × c2 ≡ me1 ×me
2 ≡ (m1 ×m2)e (mod N).
ElGamal: multiplicatively homomorphic
Given c1 =(ga1 , ga1b1m1
)(mod p), c2 =
(ga2 , ga2b2m2
)(mod p). Then
c1 × c2 =(ga1+a2 , ga1b1+a2b2m1m2
)(mod p).
Paillier: additively homomorphic
Given c1 = gm1rN1 (mod N2), c2 = gm2rN2 (mod N2). Then
c1 × c2 = gm1+m2(rs)N (mod N2).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY14 / 51
Homomorphic encryption
DGHV: Somewhat Homomorphic Encryption
DGHV: 2010
Invented by van Dijk, Gentry, Halevi, and Vaikuntanathan.
The first fully homomorphic encryption over the integers.
Choose a secret large prime key p.
Choose a large integer q.
Choose a small integer r < p2 .
Encrypt m ∈ {0, 1} as c = qp+ 2r +m.
Decrypt c using (c mod p) mod 2 = m.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY15 / 51
Homomorphic encryption
Homomorphic properties of DGHV
c1 = q1p+ 2r1 +m1, c2 = q2p+ 2r2 +m2
Addition
c1 + c2 = (q1 + q2)p+ 2(r1 + r2) +m1 +m2.
Hence Enc(m1 +m2)=Enc(m1)+Enc(m2).
Multiplication
c1 × c2 = (c2q1 + c1q2 − q1q2p)p+ 2(2r1r2 + r1m2 + r2m1) +m1 ×m2.
Hence Enc(m1 ×m2)=Enc(m1)× Enc(m2).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY16 / 51
LWE
Contents
1 Introduction
2 Homomorphic encryption
3 LWE
4 NTRU
5 Lattices
6 Bibliography
7 Conclusion
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY17 / 51
LWE
Learning With Errors
LWE
Invented by O. Regev in 2005.
Security based on the GapSVP problem.
Provable Security.
Definition
The GapSVP problem: Let L be a lattice with a basis B. Let λ1(L) bethe length of the shortest nonzero vector of L. Let γ > 0 and r > 0.Decide whether λ1(L) < r or λ1(L) > γr.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY18 / 51
LWE
Learning With Errors
Example
Easy: solve the system17 42 −12724 3 71−7 −23 45
x1x2x3
=
−32652461202
Harder: solve the system117 422 −127
214 23 71−17 −223 45
︸ ︷︷ ︸
A
x1x2x3
︸ ︷︷ ︸S
+︸︷︷︸+
e1e2e3
︸ ︷︷ ︸E
=︸︷︷︸=
−471841772485
︸ ︷︷ ︸
P
AS + E = P : LWE equation over Z.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY19 / 51
LWE
Learning With Errors
Example
Hard: solve the system17 42 12724 3 717 23 45
x1x2x3
=
116 (mod 503)158 (mod 503)271 (mod 503)
Much harder: solve the system117 422 127
214 23 7117 223 45
︸ ︷︷ ︸
A
x1x2x3
︸ ︷︷ ︸S
+︸︷︷︸+
e1e2e3
︸ ︷︷ ︸E
=︸︷︷︸=
144 (mod 503)229 (mod 503)503 (mod 503)
︸ ︷︷ ︸
P
AS + E = P : LWE equation over Z503.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY20 / 51
LWE
Learning With Errors
LWE Key Generation
Algorithm 1 : LWE Key Generation
Require: Integers n, m, l, q.Ensure: A private key S and a public key (A,P ).
1: Choose S ∈ Zn×lq at random.2: Choose A ∈ Zm×nq at random.
3: Choose E ∈ Zm×lq according to χ(E) = e−π‖E‖2/r2 for some r > 0.
4: Compute P = AS + E (mod q). Hence P ∈ Zm×lq .5: The private key is S.6: The public key is (A,P ).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY21 / 51
LWE
Learning With Errors
LWE: Encryption
Algorithm 2 : LWE Encryption
Require: Integers n, m, l, t, r, q, a public key (A,P ) and a plaintextM ∈ Zl×1t .
Ensure: A ciphertext (u, c).
1: Choose a ∈ [−r, r]m×1 at random.2: Compute u = ATa (mod q) ∈ Zn×1q .
3: Compute c = P Ta+[Mqt
](mod q) ∈ Zl×1q .
4: The ciphertext is (u, c).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY22 / 51
LWE
Learning With Errors
LWE: Decryption
Algorithm 3 : LWE Decryption
Require: Integers n, m, l, t, r, q, a private key S and a ciphertext (u, c).Ensure: A plaintext M .
1: Compute v = c− STu and M =[tvq
].
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY23 / 51
LWE
Learning With Errors
Correctness of decryption
We have
v = c− STu
= (AS + E)Ta− STATa+
[Mq
t
]= ETa+
[Mq
t
].
Hence [tv
q
]=
[tETa
q+t
q
[Mq
t
]].
With suitable parameters, the term tET aq is negligible and t
q
[Mqt
]= M .
Consequently[tvq
]= M.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY24 / 51
LWE
LWEHard Problem
Equations
The public equation P = AS + E (mod q).
The public ciphertext c = P Ta+[Mqt
](mod q).
Can be reduced to the approximate-SVP and GapSVP.
q-ary lattices
Let A ∈ Zn×lq for some integers q, n, l.
The q-ary lattice:
Λq(A) ={y ∈ Zl : y ≡ AT s (mod q) for some s ∈ Zn
}.
The orthogonal q-ary lattice:
Λ⊥q (A) ={y ∈ Zl : Ay ≡ 0 (mod q)
}.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY25 / 51
NTRU
Contents
1 Introduction
2 Homomorphic encryption
3 LWE
4 NTRU
5 Lattices
6 Bibliography
7 Conclusion
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY26 / 51
NTRU
NTRU
NTRU
Invented by Hoffstein, Pipher et Silverman in 1996.
Security based on the Shortest Vector Problem (SVP).
Various versions between 1996 and 2001.
Definition
The Shortest Vector Problem (SVP): Given a basis matrix B for L,compute a non-zero vector v ∈ L such that ‖v‖ is minimal, that is‖v‖ = λ1(L).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY27 / 51
NTRU
NTRU: Ring of Convolution Π = Z[X]/(XN − 1)
Polynomials
f =∑N−1
i=0 fiXi, g =
∑N−1i=0 giX
i,
Sum
f + g = (f0 + g0, f1 + g1, · · · , fN−1 + gN−1).
Product
f ∗ g = h = (h0, h1, · · · , hN−1) with
hk =∑
i+j≡k (mod N)
figj .
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY28 / 51
NTRU
NTRU: Ring of Convolution Π = Z[X]/(XN − 1)
Polynomials
f =∑N−1
i=0 fiXi, g =
∑N−1i=0 giX
i,
Sum
f + g = (f0 + g0, f1 + g1, · · · , fN−1 + gN−1).
Product
f ∗ g = h = (h0, h1, · · · , hN−1) with
hk =∑
i+j≡k (mod N)
figj .
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY28 / 51
NTRU
NTRU: Ring of Convolution Π = Z[X]/(XN − 1)
Polynomials
f =∑N−1
i=0 fiXi, g =
∑N−1i=0 giX
i,
Sum
f + g = (f0 + g0, f1 + g1, · · · , fN−1 + gN−1).
Product
f ∗ g = h = (h0, h1, · · · , hN−1) with
hk =∑
i+j≡k (mod N)
figj .
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY28 / 51
NTRU
NTRU: Ring of Convolution Π = Z[X]/(XN − 1)
Convolution
f = (f0, f1, · · · , fN−1), g = (g0, g1, · · · , gN−1)︸ ︷︷ ︸f ∗ g = h = (h0, h1, · · · , hN−1)
.
1 X · · · Xk · · · XN−1
f0g0 f0g1 · · · f0gk · · · f0gN−1+ f1gN−1 f1g0 · · · f1gk−1 · · · f1gN−2+ f2gN−2 f2gN−1 · · · f2gk−2 · · · f2gN−3...
...... · · · · · ·
......
+ fN−2g2 fN−2g3 · · · fN−2gk+2 · · · fN−2g1+ fN−1g1 fN−1g2 · · · fN−1gk+1 · · · fN−1g0h = h0 h1 · · · hk · · · hN−1
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY29 / 51
NTRU
NTRU Parameters
N = a prime number (e.g. N = 167, 251, 347, 503).
q = a large modulus (e.g. q = 128, 256).
p = a small modulus (e.g. p = 3).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY30 / 51
NTRU
NTRU Algorithms
Key Generation:
Randomly choose two private polynomials f and g.
Compute the inverse of f modulo q: f ∗ fq = 1 (mod q).
Compute the inverse of f modulo p: f ∗ fp = 1 (mod p).
Compute the public key h = fq ∗ g (mod q).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY31 / 51
NTRU
NTRU Algorithms
Encryption:
m is a plaintext in the form of a polynomial mod q.
Randomly choose a private polynomial r.
Compute the encrypted message e = m+ pr ∗ h (mod q).
Decryption:
Compute a = f ∗ e = f ∗ (m+ pr ∗ h) = f ∗m+ pr ∗ g (mod q).
Compute a ∗ fp = (f ∗m+ pr ∗ g) ∗ fp = m (mod p).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY32 / 51
NTRU
NTRU Algorithms
Encryption:
m is a plaintext in the form of a polynomial mod q.
Randomly choose a private polynomial r.
Compute the encrypted message e = m+ pr ∗ h (mod q).
Decryption:
Compute a = f ∗ e = f ∗ (m+ pr ∗ h) = f ∗m+ pr ∗ g (mod q).
Compute a ∗ fp = (f ∗m+ pr ∗ g) ∗ fp = m (mod p).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY32 / 51
NTRU
NTRU Algorithms
Encryption:
m is a plaintext in the form of a polynomial mod q.
Randomly choose a private polynomial r.
Compute the encrypted message e = m+ pr ∗ h (mod q).
Decryption:
Compute a = f ∗ e = f ∗ (m+ pr ∗ h) = f ∗m+ pr ∗ g (mod q).
Compute a ∗ fp = (f ∗m+ pr ∗ g) ∗ fp = m (mod p).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY32 / 51
NTRU
NTRU
Correctness of decryption
We have
a ≡ f ∗ e (mod q)
a ≡ f ∗ (p ∗ r ∗ h+m) (mod q)
a ≡ f ∗ r ∗ (p ∗ g ∗ fq) + f ∗m (mod q)
a ≡ p ∗ r ∗ g ∗ f ∗ fq + f ∗m (mod q)
a ≡ p ∗ r ∗ g + f ∗m (mod q).
If p ∗ r ∗ g + f ∗m ∈[− q
2 ,q2
], then
m ≡ a ∗ fp mod p.
MAPLE p. 24Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY33 / 51
NTRU
NTRU
Example
Key generation
Public parameters N = 13, p = 3, q = 8.
Private keys f = X12 +X11 +X10 +X9 +X8 +X7 + 1,g = X12 +X5 −X4 +X3 −X2 +X − 1.
f ∗ fp ≡ 1 (mod p) with fp =2X12+2X11+2X10+2X9+2X8+2X7+2X5+2X4+2X3+2X2+2X.
f ∗ fq ≡ 1 (mod q) with fq =X12+X11+X10+X9+X8+X7+2X6+X5+X4+X3+X2+X+2.
The public key is h ≡ g ∗ fq(mod q) = 2X12 + 2X11 + 2X9 + 2X7 + 3X5 + 2X3 + 2X.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY34 / 51
NTRU
NTRU
Example
Encryption
Message m = X10 +X8 +X7 +X4 +X3 + 1.
Random error r = X12 +X11 +X8 +X7 + 1.
The ciphertext e =≡ p ∗ r ∗ h+m (mod q) ≡5X12+2X11+3X10+2X9+5X8+3X7+2X6+5X5+6X4+4X3+2X.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY35 / 51
NTRU
NTRU
Example
Decryption
a ≡ f ∗ e (mod q)
≡ 6X12 + 3X11 + 6X10 + 2X9 + 3X8 + 4X7
+6X6 + 6X5 + 4X4 + 7X3 +X2 + 6X + 3.
m ≡ fp ∗ a (mod p)
≡ X10 +X8 +X7 +X4 +X3 + 1,
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY36 / 51
Lattices
Contents
1 Introduction
2 Homomorphic encryption
3 LWE
4 NTRU
5 Lattices
6 Bibliography
7 Conclusion
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY37 / 51
Lattices
Introduction to lattices
Definition
Let n and d be two positive integers. Let b1 · · · , bd ∈ Rn be d linearlyindependent vectors. The lattice L generated by (b1 · · · , bd) is the set
L =
d∑i=1
Zbi =
{d∑i=1
xibi | xi ∈ Z
}.
The vectors b1 · · · , bd are called a vector basis of L. The lattice rank is nand the lattice dimension is d. If n = d then L is called a full rank lattice.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY38 / 51
Lattices
Introduction to lattices
Example: Lattice with dimension 2
b1 =
[10
], b2 =
[0.51
], L =
{v, v = x1b1 + x2b2, (x1, x2) ∈ Z2
}.
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
b1
b2
Figure: The lattice with the basis (b1, b2)
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY39 / 51
Lattices
Introduction to lattices
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY40 / 51
Lattices
Introduction to lattices
How to find v?
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
b1
b2
v?
Figure: A lattice with a bad basis (b1, b2)
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY41 / 51
Lattices
Introduction to lattices
How to find v?
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
b1
b2
u1
u2 v?
Figure: The same lattice with a good basis (u1, u2)
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY42 / 51
Lattices
Short vectors
Definition (The Shortest Vector Problem (SVP))
Given a basis matrix B for L, compute a non-zero vector v ∈ L such that‖v‖ is minimal, that is ‖v‖ = λ1(L).
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY43 / 51
Lattices
Short vectors
The shortest vector
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
b1
b2
λ1
Figure: The shortest vectors
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY44 / 51
Lattices
Closest Vectors
Definition (The Closest Vector Problem (CVP))
Given a basis matrix B for L and a vector v 6∈ L, compute a vector v0 ∈ Lsuch that ‖v − v0‖ is minimal.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY45 / 51
Lattices
Closest Vectors
The closest vector
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
• • • • • • • • • • • • • • •
b1
b2v
v0
•
Figure: The closest vector to v is v0
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY46 / 51
Bibliography
Contents
1 Introduction
2 Homomorphic encryption
3 LWE
4 NTRU
5 Lattices
6 Bibliography
7 Conclusion
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY47 / 51
Bibliography
Bibliography
1 P.W. Shor: Polynomial-time algorithms for prime factorization anddiscrete logarithms on a quantum computer, SIAM J. Computing 26,pp. 1484–1509 (1997).
2 O. Regev: On lattices, learning with errors, random linear codes, andcryptography, STOC 2005, ACM (2005) p. 84–93.
3 J. Hoffstein: J. Pipher, and J. H. Silverman, NTRU: A Ring BasedPublic Key Cryptosystem in Algorithmic Number Theory. LectureNotes in Computer Science 1423, Springer-Verlag, pp. 267–288, 1998.
4 Pittet Shillong: 2013, November 18 - 29, Fourier analysis of groupsin combinatorics, CIMPA-UNESCO-MESR-MINECO-INDIA researchschool: North Eastern Hill University, Shillong.https://hal.archives-ouvertes.fr/CIMPA/cel-00963668v1
5 A. Nitaj: Quantum and Post Quantum Cryptography.http://www.math.unicaen.fr/~nitaj/postquant.pdf
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY48 / 51
Conclusion
Contents
1 Introduction
2 Homomorphic encryption
3 LWE
4 NTRU
5 Lattices
6 Bibliography
7 Conclusion
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY49 / 51
Conclusion
ConclusionLattice based cryptography
Can be used to build cryptographic schemes (GGH, NTRU, LWE,...).
Can be used to build fully homomorphic encryption, Digitalsignatures, identity based encryption IBE, hash functions.
Many hard problems (SVP, CVP, ....).
Fast implementation.
Resistance to quantum computers and NSA.
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY50 / 51
Conclusion
Merci
Thank you
Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY51 / 51